NogDog

As far as SQL injection is concerned, the only part of all of that which means anything is where you use bound parameters in your prepared statement. Doing that as you are for any external values will take care of this issue -- everything else is application-specific as to how you want to filter or not filter inputs for other (non-SQL-related) reasons.